what’s new in fireware xtm v11.9 watchguard training
TRANSCRIPT
What’s New in What’s New in Fireware XTM v11.9Fireware XTM v11.9
WatchGuard Training
What’s New in v11.9What’s New in v11.9
APT Blocker — new security service Data Loss Prevention (DLP) Custom Rule OS Compatibility Settings Traffic Management• Feature redesign
• New monitoring options Custom interface / security zone Gateway Wireless Controller and Wireless AP updates• Wireless coverage map and channel conflict map
• Control over DFS and channel limitations, transmit rate and power
• Support for AP102 indoor/outdoor access point
• Updated AP firmware 1.2.9.1
• Enhancements to AP device management and monitoring XTM built-in wireless access points as independent interfaces
WatchGuard Training 22
What’s New in v11.9What’s New in v11.9
IPSec VPN• Support for Diffie-Hellman groups 14, 15, 19, and 20
• Ability to enable/disable Branch Office VPNs Mobile VPN with SSL• Domain list on the Mobile VPN with SSL authentication page
• Mobile VPN with SSL automatic reconnect setting
• Bridge VPN Traffic now requires a LAN bridge
• SHA is no longer supported FireCluster enhancements• Web UI support for FireCluster
• Control monitored interfaces in an active/passive cluster
• PPPoE support on a FireCluster external interface
• Cluster management interface can be a bridge or VLAN interface
WatchGuard Training 33
What’s New in v11.9What’s New in v11.9
Authentication enhancements• User lock out option for hotspots
• Authentication server timeout option, with PhoneFactor authentication support
IPv6 support• IPv6 in Bridge, Link Aggregation, and VLAN interfaces
• IPv6 dynamic routing protocols
• IPv6 6-in-4 tunnel routes through a BOVPN virtual interface Role-based device management user accounts for device access &
Audit Trail reports Logging enhancements
• Integration with IBM’s SIEM system, QRadar
• SSO component log files Device Configuration Template enhancements
• Inheritance Settings for APT Blocker
• WebBlocker profile support for Firebox T10
WatchGuard Training 44
What’s New in v11.9What’s New in v11.9
Other enhancements• Device feedback enhancements
• Wireless interfaces chart on the Bandwidth page in the Web UI
• Static ARP configuration in the Web UI
• Static ARP for Bridge, VLAN, and Link Aggregation interfaces
• Support for DHCP option 50
• Support for OSPF ECMP
WatchGuard Training 55
APT BlockerAPT Blocker
WatchGuard Training 66
APT BlockerAPT Blocker
WatchGuard Training 77
What is an APT (Advanced Persistent Threat)?• APTs leverage the latest targeted malware techniques and zero-day
exploits (flaws which software vendors have not yet discovered or fixed) to infect and spread within a network.
• Designed to gain access to networks and access confidential data over extended periods of time.
• APTs are highly sophisticated and often target specific high-profile institutions such as government or financial-sector companies
• APT use has now expanded to target smaller networks and lower profile organizations.
• Traditional signature-based scan techniques do not provide adequate protection against APTs.
APT BlockerAPT Blocker
WatchGuard Training 88
APT Blocker is a subscription service that uses best-of-breed full-system emulation analysis by our solution partner Lastline.
Lastline cloud performs file analysis in a sandbox environment to identify the characteristics and behavior of advanced malware in files and email attachments.
Includes full system emulation that goes beyond simple detection techniques to simulate a physical and software environment to analyze the deepest level of advanced malware activity.
Full system emulation ensures that advanced malware does not detect and evade the analysis.
APT Blocker — How Does it WorkAPT Blocker — How Does it Work
WatchGuard Training 99
Files that enter your network are scanned and an MD5 hash of the file is generated.
This MD5 hash is submitted to the Lastline cloud-based data center over HTTPS where it is compared to a database of analyzed files and results are returned immediately.
If the analysis results in a match to a known malware threat, you can take immediate action on the file.
If there is no match with the available data center analysis results, this means the specific file has never been seen or analyzed before. • In this case the actual file is submitted to the Lastline data center where
the file undergoes deep analysis for advanced malware activity.
• This analysis occurs at the same time as the file transfer and the connection is passed though while the device waits for the result of the analysis.
• The result is returned in minutes, and if there is evidence of malware activity in the file, your WatchGuard Firebox or XTM device can generate an alarm notification.
APT Blocker — Supported Proxies and File TypesAPT Blocker — Supported Proxies and File Types
WatchGuard Training 1010
APT Blocker can scan files for the HTTP, FTP, and SMTP proxies. APT Blocker can scan these file types:• Windows PE (Portable Executable) files.
Includes Windows XP and Windows 7/8 files with .cpl, .exe, .dll, .ocx, .sys, .scr, .drv, and .efi extensions.
• Adobe PDF documents
• Microsoft Office documents
• Rich Text Format (RTF) documents
• Android executable files (.apk) APT Blocker can also examine files within these compressed
archives:• gzip
• tar
• zip
APT Blocker & Other Security ServicesAPT Blocker & Other Security Services
WatchGuard Training 1111
APT Blocker combines with these other security services on your Firebox or XTM device to provide additional layers of defense against network threats:
• Gateway AntiVirus
• Reputation Enabled Defense (RED)
• WebBlocker
APT Blocker & Gateway Anti-VirusAPT Blocker & Gateway Anti-Virus
WatchGuard Training 1212
APT Blocker utilizes the same scanning process as Gateway Anti-Virus.
You must have Gateway Anti-Virus enabled to enable APT Blocker on a specific proxy.
Files are scanned by Gateway Anti-Virus before they are scanned by APT Blocker.
Only files that have been scanned and processed as clean by Gateway AntiVirus are scanned by APT Blocker.
You can customize which file types you want scanned by APT in the Gateway Anti-Virus configuration.
If the Gateway Anti-Virus scan is enabled on a specific file/content type in the configuration, APT will scan the file as long as the file type is supported by APT.
APT Blocker & Gateway Anti-Virus Scan LimitsAPT Blocker & Gateway Anti-Virus Scan Limits
WatchGuard Training 1313
APT Blocker cannot scan or analyze partial files. Although APT Blocker cannot scan partial files, most malware is
delivered in files smaller than 1 MB in size. APT Blocker scan limits are based on the scan limits set in the
Gateway AntiVirus configuration. The default and maximum scan limits vary by Firebox or
XTM device model. The default scan limit for most Firebox and XTM devices is 1 MB.
Firebox T10 and XTM 2 Series have a default of 512 KB. You can increase the scan limit to scan larger files for increased
protection, but this uses more system memory and it could result in fewer concurrent connections through the appliance.
The maximum file size allowed for APT Blocker is 8 MB.
APT Blocker & Reputation Enabled Defense (RED)APT Blocker & Reputation Enabled Defense (RED)
WatchGuard Training 1414
WatchGuard RED uses a cloud-based WatchGuard reputation server that assigns a reputation score between 1 and 100 to every URL.
WatchGuard recommends that you do not enable the Bypass any configured virus scanning for URLs that have a good reputation option in the Reputation Enabled Defense configuration.
This ensures that all traffic is scanned by Gateway AntiVirus and APT Blocker.
APT Blocker & WebBlockerAPT Blocker & WebBlocker
WatchGuard Training 1515
An important defense against advanced malware is to detect botnet activity and any command and control traffic from inside your network to external servers.
WebBlocker uses a database of web site addresses (identified by content categories) to allow or block web site traffic.
WatchGuard recommends that you configure the WebBlocker service to block traffic for these security URL categories to detect and prevent this type of activity:
• Malicious Embedded Link• Malicious Embedded iFrame• Mobile Malware• Advanced Malware Command and
Control• Elevated Exposure• Emerging Exploits• Potentially Damaging Content• Dynamic DNS
• Security• Malicious Web Sites• Spyware• Phishing and Other Frauds• Keyloggers• Potentially Unwanted Software• Bot Networks• Suspicious Embedded Link
APT Blocker — ConfigurationAPT Blocker — Configuration
WatchGuard Training 1616
APT Blocker categorizes APT activity based on the severity of the threat:• High
• Medium
• Low All threat levels are considered
malware. Higher levels have more significant
indicators of malware. For each threat level, you can assign an
action:• Allow
• Drop (SMTP proxy strips attachment)
• Block (SMTP proxy strips attachment)
• Quarantine (SMTP only, HTTP/FTP drops connection)
Enable notification and log settings to make sure you are notified of malware activity.
APT Blocker — Enable in a PolicyAPT Blocker — Enable in a Policy
WatchGuard Training 1717
You can enable or disable APT Blocker for a specific policy in the APT Blocker configuration or when you edit a proxy action.
APT Blocker — Notifications & Log MessagesAPT Blocker — Notifications & Log Messages
WatchGuard Training 1818
APT Blocker uses email notification alerts to notify the administrator of APT threats.
Log analysis provides APT Blocker detailed information about the threat.
APT Blocker ReportsAPT Blocker Reports
WatchGuard Training 1919
WatchGuard Dimension v1.2 provides support for APT Blocker reports.
DLP Custom RuleDLP Custom Rule
WatchGuard Training 2020
DLP Custom RuleDLP Custom Rule
You can now add a custom rule to your DLP configuration.
Allows you to customize your DLP configuration beyond the predefined rules.
You can scan your network traffic for special phrases specific to your organization.
For example, use email and document security classifications with your custom rule to prevent sensitive messages and documents from leaving your network.
WatchGuard Training 2121
DLP Custom Rule Configuration NotesDLP Custom Rule Configuration Notes
WatchGuard Training 2222
You can only create a single custom rule The custom rule can contain multiple words and phrases that you
want to monitor or control. Each phrase can be up to 127 characters in length.
• Note that long phrase lengths can impact system performance. No limit to number of phrases, but a large number of phrases in
your custom rule can impact system performance. • We recommend you use at maximum 15 phrases within a custom rule.
Phrases must consist of Unicode characters in the Basic Multilingual Plane (BMP) only. The BMP is the first 65,536 characters in Unicode.• This covers most major language character sets.
Only simple text matching is performed. Regular expressions are not supported.
Text matching is case-insensitive.
Configure a DLP Custom RuleConfigure a DLP Custom Rule
WatchGuard Training 2323
In the DLP configuration, select the Custom Rule tab.
Type a descriptive name for the Custom Rule.
Type a list of phrases, one phrase per line.
Enable the Custom Rule for a DLP SensorEnable the Custom Rule for a DLP Sensor
Enable your custom rule that contains the phrases you want to monitor and control in the configuration for a DLP sensor.
WatchGuard Training 2424
DLP Custom RuleDLP Custom Rule
You can then enable the DLP sensor for each policy as required.
WatchGuard Training 2525
OS Compatibility OS Compatibility
WatchGuard Training 2626
OS Compatibility SettingOS Compatibility Setting
WatchGuard Training 2727
Policy Manager now has an OS Compatibility setting that controls the which options are available for some features.
If you use Policy Manager to open the configuration from a device, the Fireware XTM version is automatically set based on the OS version the device uses.
For a new configuration file, you must select the Fireware XTM version before you can configure some features, such as network settings and Traffic Management. • Policy Manager automatically takes you to
the OS Compatibility dialog box, when needed.
• Or you can select Setup > OS Compatibility.
Traffic Management Traffic Management
WatchGuard Training 2828
Traffic Management EnhancementsTraffic Management Enhancements
Traffic Management functionality has been completely redesigned in v11.9.
Key differences from v11.8 and all previous versions: • Traffic Management actions are not tied to a physical XTM device
interface. The interface in the policy determines which interface an action applies to. Traffic Management actions can apply to all interface types, including VLAN,
Bridge, link aggregation, and wireless interfaces, which were not supported before.
• There are three Traffic Management action types.
• A policy uses different Traffic Management actions for forward and reverse traffic.
• You can apply Traffic Management actions to applications and application categories, in addition to policies.
• The new Traffic Management tab in Firebox System Manager shows detailed statistics for each traffic management action by policy and application.
WatchGuard Training 2929
Traffic Management Use CasesTraffic Management Use Cases
The Traffic Management settings in v11.9 support a wide variety of use cases such as these:• Limit HTTP for all users on the Trusted interface; allow 2 Mbps
maximum download bandwidth, and 1 Mbps upload bandwidth.
• Guarantee 10 Mbps throughput for HTTP traffic for a specific user.
• Set a maximum and guaranteed bandwidth for each IP address, without creating a separate policy for each user.
• Limit or guarantee the bandwidth used by specific applications.
• Limit HTTP bandwidth for a group to 2 Mbit per user in the group. But limit the bandwidth used by streaming media applications to 100 Kbit per user.
The configuration for each use case is described at the end of this section.
WatchGuard Training 3030
Traffic Management and Configuration UpgradeTraffic Management and Configuration Upgrade
When you upgrade a configuration from v11.8.x or lower to v11.9, any existing traffic management actions are removed.
Because the redesigned traffic management feature works so differently, there is no equivalent v11.9 traffic management action to convert to.
Policy Manager shows different options for Traffic Management actions based on the OS Compatibility setting.
WatchGuard Training 3131
Traffic Management Action ConfigurationTraffic Management Action Configuration
To create a new Traffic Management action:• Select Setup > Actions > Traffic Management. Click Add.
• If prompted for OS Compatibility, select 11.9 or higher. Select the action Type• All Policies — Applies to the combined bandwidth of all policies that
use it
• Per Policy — Applies individually to each policy that uses it
• Per IP Address — Applies individually to each client source IP address Configure the action settings• Maximum bandwidth
• Guaranteed bandwidth
• Maximum instance (Per IP Address actions only)
WatchGuard Training 3232
Traffic Management Action SettingsTraffic Management Action Settings
Maximum Bandwidth• The maximum amount of bandwidth to allocate for traffic that uses to
this action.
• If set to 0, there is no maximum. Guaranteed Bandwidth• The minimum amount of bandwidth to guarantee for traffic that uses
this action.
• If set to 0, there is no guaranteed bandwidth.
• It is possible to configure policies with combined guaranteed bandwidth that exceeds the available bandwidth.
• The bandwidth can be guaranteed only if the combined guaranteed bandwidth for all concurrent traffic does not exceed the available bandwidth.
If the device is configured for Multi-WAN with the Round Robin or Routing Table options, the total available bandwidth is the aggregate interface bandwidth (the sum of the external bandwidth for each interface).
WatchGuard Training 3333
Traffic Management Action SettingsTraffic Management Action Settings
Maximum Instance — For Per IP Address actions only• The maximum number of individual source IP addresses that the bandwidth
constraints in the action can apply to.
• If the number of concurrent source IP addresses that use a Per IP Address action is larger than the Maximum Instance, multiple source IP addresses share the bandwidth specified in the action.
A round-robin algorithm determines which source IP addresses share bandwidth.
Recently connected source IP addresses share bandwidth with source IP addresses that have been connected longest.
WatchGuard Training 3434
Traffic Management Action TypesTraffic Management Action Types
Consider the effect of a Traffic Management action with a maximum bandwidth of 1 Mbps, applied to four policies.
If the action type is All Policies, all four policies share the defined 1Mbps maximum bandwidth, if it is available.
If the action type is Per Policy, each of the four policies individually can use the defined 1 Mbps maximum bandwidth, if it is available.
If the action type is Per IP Address, each source IP address for traffic handled by any of the four policies can use the defined 1 Mbps maximum bandwidth, if it is available.
WatchGuard Training 3535
Traffic Management in PoliciesTraffic Management in Policies
In a policy, you can configure a separate Traffic Management action for traffic in each direction.• Forward Action — Applies to traffic
that originates from the From list (source)
• Reverse Action — Applies to traffic that originates from the To list (destination)
If a policy uses the same action for both directions, the action applies to the combined bandwidth of traffic in both directions.
WatchGuard Training 3636
Traffic Management in Application CategoriesTraffic Management in Application Categories
You can apply Traffic Management actions to Application Control applications and application categories.
For an application, if you set the action for all behaviors or for specific behaviors to Allow, you can optionally enable Traffic Management and select a Traffic Management action to apply to the allowed traffic.
WatchGuard Training 3737
Traffic Management for Application CategoriesTraffic Management for Application Categories
You can apply Traffic Management actions to an application category.
All applications in the category share the bandwidth specified in the Traffic Management action.
WatchGuard Training 3838
Traffic Management for Application CategoriesTraffic Management for Application Categories
WatchGuard Training 3939
If you assign a Per-IP Address Traffic Management action to multiple applications or categories, all applications in those categories share the bandwidth allocated independently to each source IP address.
Traffic Management Action PrecedenceTraffic Management Action Precedence
If more than one Traffic Management action could apply to traffic, the XTM device applies the most specific action.
Traffic Management actions from most specific to least specific are:1. Application2. Application category3. Policy
WatchGuard Training 4040
Traffic Management — MonitoringTraffic Management — Monitoring
Traffic Management statistics and graphs are available in:• Firebox System Manager — Traffic Management tab
• Fireware XTM Web UI — System Status > Traffic Management page
The chart shows statistics for the selected action. In Firebox System Manager, hover over the action name to see the
list of policies, applications, and source IP addresses it applies to. Expand a Per-IP action to see statistics for each source IP address.
WatchGuard Training 4141
Traffic Management — MonitoringTraffic Management — Monitoring
WatchGuard Training 4242
Traffic Management Use Case 1Traffic Management Use Case 1
Limit HTTP for all users on the Trusted interface; allow 2 Mbps maximum download bandwidth, and 1 Mbps upload bandwidth.1. Configure an HTTP policy for traffic From: Trusted, To: Any-External.2. Add a Per Policy Traffic Management action with Maximum 1 Mbps.3. Add a Per Policy Traffic Management action with Maximum 2 Mbps.4. In the HTTP policy:
Set the Forward Action to the action with the 1 Mbps maximum to limit uploads Set the Reverse Action to the action with the 2 Mbps maximum to limit
downloads
WatchGuard Training 4343
Traffic Management Use Case 2Traffic Management Use Case 2
Guarantee 10 Mbps throughput for HTTP traffic for a specific user.1. Add a Per Policy Traffic Management action with 10 Mbps Guaranteed
bandwidth2. Create an HTTP policy for traffic From: <username> To: Any-External.3. Use the Traffic Management action as both the Forward Action and
Reverse Action in the HTTP policy.
WatchGuard Training 4444
Traffic Management Use Case 3Traffic Management Use Case 3
Set a maximum and guaranteed bandwidth for each IP address, without creating a separate policy for each user.1. Create a policy for the traffic from the list of users. 2. Add a Per IP Address Traffic Management action with the guaranteed
and maximum bandwidth settings.3. Use the Traffic Management action in the policy as both the Forward
and Reverse action.
WatchGuard Training 4545
Traffic Management Use Case 4Traffic Management Use Case 4
Limit or guarantee the bandwidth used by specific applications.1. Add a Traffic Management action to limit or guarantee bandwidth.2. Configure Application Control to use the
Traffic Management action for each application. 3. Enable Application Control in the policy that
handles traffic for the application.
WatchGuard Training 4646
Traffic Management Use Case 5Traffic Management Use Case 5
Limit HTTP bandwidth for a group to 2 Mbit per user in the group. But limit the bandwidth used by streaming media applications to 100 Kbit per user.
1. Add a Traffic Management Per IP Address action TM.2M with 2 Mbps Maximum bandwidth.
2. Create an HTTP policy for the group and use the Traffic Management action. From: <group name> To: Any-External. Use TM.2M as the Forward Action and the Reverse Action for Traffic
Management
WatchGuard Training 4747
Traffic Management Use Case 5Traffic Management Use Case 5
3. Add a Traffic Management Per IP Address actionTM.100K with 100 Kbps Maximum bandwidth
4. Use the TM.100K action for the Streaming Media application category in Application Control.
5. Enable the HTTP policyto use the ApplicationControl action.
WatchGuard Training 4848
Custom InterfaceCustom Interface
WatchGuard Training 4949
Custom InterfaceCustom Interface
Fireware XTM v11.9 introduces a new interface type called Custom.• Use a custom interface to define a custom security zone that is separate
from the predefined trusted, optional, and external zones.
• A custom interface is not a member of the built-in aliases: Any-Trusted, Any-Optional, or Any-External.
• Traffic for a custom interface is not handled by the default policies that use these aliases.
You must create or edit policies to handle traffic for a custom interface.• You can use the interface name (alias) in policies.
• Or, add the interface name to another alias that you use in policies. You can configure any of these interface types as a custom interface:
• Physical interface
• Wireless interface
• Network bridge
• VLAN interface
• Link Aggregation interfaceWatchGuard Training 5050
Custom InterfaceCustom Interface
A custom interface supports all the same settings as a trusted or optional interface.
WatchGuard Training 5151
Custom InterfaceCustom Interface
WatchGuard Training 5252
To create a wireless guest network that fully separates traffic for wireless clients from your trusted and optional networks, you can configure a Wireless Access Point as a custom interface.
Gateway Wireless Controller &Gateway Wireless Controller &Wireless APWireless AP
WatchGuard Training 5353
WatchGuard AP Firmware 1.2.9.1WatchGuard AP Firmware 1.2.9.1
Supports new AP102 Indoor/Outdoor Device Model New Gateway Wireless Controller options• LED Pairing status indicator
• Disable LEDs
• Disable DFS Channels
• Use Outdoor Channels only
• Transmit Power
• SSH Access New Gateway Wireless Controller Monitoring options• Flash LEDs
• Restart Wireless
• Secondary channel display AP Wireless Maps
WatchGuard Training 5454
AP102 Outdoor Access PointAP102 Outdoor Access Point
WatchGuard Training 5555
Identical in specifications to the AP100 single radio model.
Special design for low-profile deployment in indoor or outdoor environment:• Internal antennas
• Water-resistant case
• Minimalist labeling
• Small LEDs Includes mounting kit for
mounting outdoors to a pole or other structure.
Gateway Wireless Controller — New OptionsGateway Wireless Controller — New Options
Disable LEDs• Operates your AP device in
stealth mode to hide the use of wireless activity when the device is deployed in a location that requires additional security.
Use Outdoor Channels Only• Enabled by default for AP102
outdoor wireless devices. Disable DFS Channels
• DFS channels are used with radar and your AP device will stop transmitting if radar signals are detected on that channel. This option disables these channels to prevent interference.
WatchGuard Training 5656
Gateway Wireless Controller — Transmit PowerGateway Wireless Controller — Transmit Power
TX Power• For each radio, you can
optionally set the maximum transmit power to limit or expand the transmission distance of your wireless signals.
• You can set the transmit power between 3 dBm to 20 dBm, or set the value to Auto.
• The default (Auto) is 20 dBm.
• The transmit power cannot exceed the regulatory limits set by your region.
WatchGuard Training 5757
Gateway Wireless Controller — SSH AccessGateway Wireless Controller — SSH Access
SSH Access on WatchGuard APs• Can be used by technical
support.
• Disabled by default for security reasons.
• Only enable if requested by technical support.
WatchGuard Training 5858
Gateway Wireless Controller — MonitoringGateway Wireless Controller — Monitoring
Flash Power LED• You can flash the power LED on a specific AP device to help with
identification of a particular device.
• This utility is useful if you use the Disable LEDs option to operate your AP device in stealth mode to hide the use of wireless activity.
Restart Wireless• You can restart the wireless interfaces without having to reboot the
device.
• Allows auto channel selection to set a new channel if you have interference.
WatchGuard Training 5959
Gateway Wireless Controller — MonitoringGateway Wireless Controller — Monitoring
Secondary channel display• Secondary channel information for each radio, if available, is now
displayed in the Gateway Wireless Control monitoring page and in the site survey.
WatchGuard Training 6060
Gateway Wireless Controller — MapsGateway Wireless Controller — Maps
In Fireware XTM Web UI, use the Maps tab on the Dashboard > Gateway Wireless Controller page to help you visualize your wireless environment, determine where to place your AP devices, and how to best configure them for your network environment.
Two views: • Wireless Coverage Map — Shows the location of your Access Point
devices in relation to one another.
• Channel Conflict Map — Shows the location of your Access Point devices and any other wireless devices in the vicinity and shows the channel and bandwidth details for each device.
Select which radio bands to show on the maps:• 2.4 GHz
• 5 GHz Select which SSIDs to show on the maps. Enable the Sticky Access Points option to anchor the AP devices to
a place on the mapWatchGuard Training 6161
Gateway Wireless Controller — MapsGateway Wireless Controller — Maps
WatchGuard Training 6262
XTM WirelessXTM Wireless
WatchGuard Training 6363
XTM Wireless Interface ChangesXTM Wireless Interface Changes
You can now use an XTM Wireless Interface with any network.• No longer limited to
Trusted/Optional and Guest network.
Any interface can be used as a Guest network.
Previous Guest network interface renamed Access point 3.
You can choose Trusted, Optional, Bridge, VLAN, or Custom (new) interface
WatchGuard Training 6464
XTM Wireless Guest Network and Custom InterfaceXTM Wireless Guest Network and Custom Interface
To enable a wireless network for guest users, you can configure an access point in the Custom zone.
Custom is separate from the predefined trusted, optional, and external zones.
A custom interface is not a member of the built-in aliases Any-Trusted, Any-Optional, or Any-External.
Traffic for a custom interface is not handled by the default policies that use these aliases.
Use the wireless interface alias in policies that you want to handle traffic from wireless clients so they cannot access Trusted or Optional networks.
WatchGuard Training 6565
VPN EnhancementsVPN Enhancements
WatchGuard Training 6666
IPSec VPN — Diffie-Hellman Group SupportIPSec VPN — Diffie-Hellman Group Support
Fireware XTM v11.9 adds support for more secure Diffie-Hellman groups:• DH Group 14: 2048-bit group
• DH Group 15: 3072-bit group
• DH Group 19: 256-bit elliptic curve group
• DH Group 20: 384-bit elliptical curve group You can use these Diffie-Hellman groups when you configure:• Branch Office VPN
• BOVPN virtual interface
• Mobile VPN with IPSec
• Mobile VPN with L2TP
WatchGuard Training 6767
Enable/Disable Branch Office VPNsEnable/Disable Branch Office VPNs
You can now disable and enable BOVPN gateways and BOVPN virtual interfaces.
When a BOVPN is disabled:• You can still edit BOVPN gateway, tunnel,
and virtual interface settings
• The tunnels associated with a disabled BOVPN gateway are disabled.
• Disabled tunnel routes do not appear in the Status Report.
• BOVPN virtual interface routes are not added to the routing table.
• Disabled tunnels and BOVPN virtual interfacesare disabled in the BOVPN-Allow.out and BOVPN-Allow.in policies, and in any other policies that use them.
WatchGuard Training 6868
Mobile VPN with SSLMobile VPN with SSL
If you configure Mobile VPN with SSL to use more than one authentication server, the user can now select the authentication server from the Domain drop-down list on the SSLVPN authentication page .
This change affects the SSLVPN.html page where users download a Mobile VPN for SSL client — https://<interface-ip-address>/sslvpn.html
WatchGuard Training 6969
Mobile VPN with SSL — Auto Reconnect SettingMobile VPN with SSL — Auto Reconnect Setting
The authentication settings for Mobile VPN with SSL now include an option to control whether the Mobile VPN with SSL client automatically reconnects.• The setting to force users
to authenticate after aconnection is lost isavailable only after theauto reconnect option isenabled.
• If the auto reconnectoption is enabled in the device configuration, the v11.9 Mobile VPN with SSL client has a check box that lets the user control whether the client automatically reconnects.
WatchGuard Training 7070
Mobile VPN with SSL ClientMobile VPN with SSL Client
The v11.9 Mobile VPN with SSL client has two new check boxes.• Automatically reconnect
This check box appears in the client only if the “Auto connect after a password is lost” option is enabled in the Mobile VPN with SSL authentication settings on the Firebox or XTM device.
When this check box is selected, the client automatically tries to reconnect after a connection was lost.
• Remember password This check box appears in the client
only if the “Allow the Mobile SSL with VPN client to remember the password”option is enabled in the Mobile VPN with SSL settings on the Firebox or XTM device .
When this check box is selected, the client remembers the password used for the previous connection.
WatchGuard Training 7171
Mobile VPN with SSL — Bridge VPN Traffic to a Mobile VPN with SSL — Bridge VPN Traffic to a BridgeBridge The Mobile VPN with SSL Bridge VPN Traffic option now requires
that you first configure a network bridge. • The Bridge to interface
drop-down list now includes only bridge interfaces.
Fireware XTM v11.8.x and lowerdid not support bridging VPN traffic to a network bridge.• When you upgrade to v11.9
from an earlier version, ifMobile VPN with SSL wasconfigured to bridge VPN trafficto an interface, the upgrade process automatically createsa new bridge that includes theinterface.
WatchGuard Training 7272
Mobile VPN with SSL — SHA AuthenticationMobile VPN with SSL — SHA Authentication
The SHA authentication algorithm is no longer supported for Mobile VPN with SSL.
Supported authentication methods are:• MD5
• SHA-1
• SHA-256
• SHA-512
WatchGuard Training 7373
FireClusterFireCluster
WatchGuard Training 7474
FireCluster — Web UI SupportFireCluster — Web UI Support
You can now use the Fireware XTM Web UI to connect to a FireCluster. • To connect to the Web UI for a FireCluster on an interface IP address:
https://<interface-IP-address>:8080
• To connect to an individual cluster member, use the management IP address: https://<cluster-member-management-ip-address>:8080
On the Front Panel page, you can see the name of the cluster member you are connected to. If you connected to an interface IP address, this is the name of the current cluster master.
WatchGuard Training 7575
FireCluster — Web UI SupportFireCluster — Web UI Support
When connected to the cluster master, you can make any type of configuration change you could make to a non-clustered device.• Configuration changes are automatically synchronized with the backup
master. You cannot use the Fireware XTM Web UI to:
• Enable or disable a FireCluster or change FireCluster settings
• Force a FireCluster member to fail over
• Make a member join or leave a cluster
• Discover a cluster member
• Monitor cluster health
• Upgrade both members of a cluster When connected to the backup master, you can:
• Upgrade the Fireware XTM OS on the backup master
• Save or restore a backup image to the backup master
• Reboot the backup master
• Update subscription services signatures on the backup master
WatchGuard Training 7676
FireCluster — Web UI SupportFireCluster — Web UI Support
When you connect to the Web UI for the cluster master, most pages show combined information and statistics for both cluster members.
There are two pages that show information for only one member at a time.• Dashboard > Traffic Monitor
• System Status > Traffic Management Information about the cluster master is shown by default. Use the drop-down list to select the cluster member to monitor.
WatchGuard Training 7777
FireCluster — Link Monitoring ControlFireCluster — Link Monitoring Control
WatchGuard Training 7878
For an active/passive cluster, you can now control which interfaces are monitored for link status as criteria for failover.
All enabled interfaces aremonitored by default.
To disable link monitoringfor an interface, clear thecheck box in the Monitor Link column.
WatchGuard recommends that you monitor the link status ofall enabled interfaces.
FireCluster — PPPoE SupportFireCluster — PPPoE Support
WatchGuard Training 7979
You can now enable an active/passive FireCluster when the external interface uses PPPoE.
The option to configure an active/active cluster is not available if external interfaces use PPPoE
If the external interface uses PPPoE, you cannot select the external interface as the FireCluster interface for management IP address.
FireCluster — VLAN or Bridge for Management FireCluster — VLAN or Bridge for Management Interface Interface You can now select a bridge or VLAN interface as the the
FireCluster management interface.
WatchGuard Training 8080
IPv6IPv6
WatchGuard Training 8181
IPv6 in Bridge, Link Aggregation, and VLAN IPv6 in Bridge, Link Aggregation, and VLAN interfacesinterfaces IPv6 IP addresses are now supported in Bridge, Link Aggregation,
and VLAN interfaces. IPv6 settings are the same as for IPv6 on a physical interface.
WatchGuard Training 8282
IPv6 in Bridge, Link Aggregation, and VLAN IPv6 in Bridge, Link Aggregation, and VLAN interfacesinterfaces You can now create IPv6 static routes to Bridge, Link Aggregation,
and VLAN interfaces that have IPv6 enabled. When you add the IPv6 static route, you can specify the interface
to route through. The list of interfaces now includes Bridge, Link Aggregation, and VLAN interfaces, in addition to physical interfaces.
WatchGuard Training 8383
IPv6 Dynamic RoutingIPv6 Dynamic Routing
Fireware XTM now supports IPv6 dynamic routing protocols.• RIPng (next generation)
• OSPFv3
• BGP v4 The dynamic routing configuration has
two new tabs.• RIPng
• OSPFv3 There is no new tab for BGP, but you can
now use IPv6 commands in the BGP tab. When you enable RIPng or OSPFv3,
new dynamic routing policies are automatically created to allow the traffic.• DR-RIPng-Allow
• DR-OSPFv3-Allow
WatchGuard Training 8484
IPv6 Dynamic Routing — LimitationsIPv6 Dynamic Routing — Limitations
Two OSPFv3 commands are not supported• Area
• Access list
WatchGuard Training 8585
IPv6 BOVPN Virtual Interface Tunnel RoutesIPv6 BOVPN Virtual Interface Tunnel Routes
You can now add IPv6 BOVPN virtual interface tunnel routes. This enables you to route IPv6 traffic through an IPv4 BOVPN
tunnel between two Firebox or XTM devices. An IPv6 BOVPN virtual interface route is a 6in4 tunnel route
that uses a GRE tunnel within the IPSec BOVPN tunnel.
WatchGuard Training 8686
Role-based Device User Accounts For Role-based Device User Accounts For Management & AuditingManagement & Auditing
WatchGuard Training 8787
Device Management User Accounts — ManageDevice Management User Accounts — Manage
You can now configure additional user accounts on your Firebox or XTM device to allow users to log in to a device with their own user accounts to manage and monitor the device.
There are two available roles you can assign to users:• Device Administrator
• Device Monitor Each device has three default user accounts:• status — The default Device Monitor user account
• admin — The default Device Administrator user account
• wgsupport — The default user account for WatchGuard Technical Support. This user account is disabled by default. You can enable it to allow a WatchGuard Technical Support representative to connect to your device.
Add, edit, or delete user accounts.• You cannot delete the three default user accounts. You can only change
the passphrase for the default accounts.
WatchGuard Training 8888
Device Management User Accounts — ManageDevice Management User Accounts — Manage
In Policy Manager, select File > Manage Users and Roles.• If you’re logged in to the device with a Device Monitor user account,
you must type an Administrator passphrase before the Manage Users and Roles dialog box will open..
WatchGuard Training 8989
Device Management User Accounts — ManageDevice Management User Accounts — Manage
In Fireware XTM Web UI, select System > Users and Roles.• You must log in with a user account that has Device Administrator
privileges.
WatchGuard Training 9090
Device Management User Accounts — AuditDevice Management User Accounts — Audit
New user accounts enable you to see which users have connected to the device to make configuration changes and what changes each user made to the device configuration.
In Fireware XTM Web UI, on the System Status > Users and Roles page, you can see the list of users logged in to the device.• Users with Device Administrator privileges can log off users with Device
Monitor privileges.
WatchGuard Training 9191
Device Management User Accounts — AuditDevice Management User Accounts — Audit
In FSM on the Authentication List tab, you can see which users are logged in to the device, and open the Management Users dialog box to see the total number of connected Device Management users.
WatchGuard Training 9292
Device Management User Accounts — AuditDevice Management User Accounts — Audit
In WatchGuard Report Manager and WatchGuard Dimension, you can run a report that includes a list of the configuration changes made to your device and the user account that made the changes.• In WatchGuard Report Manager, run a Firebox Reports > Audit Trail
report.
• In WatchGuard Dimension, select a Device > Audit Trail report.
WatchGuard Training 9393
Device Management User Accounts — LoginDevice Management User Accounts — Login
If you have more than one authentication server configured on your Firebox or XTM device, when you log in to the device, you must select the authentication server for the user credentials you specify.
WatchGuard Training 9494
Logging EnhancementsLogging Enhancements
WatchGuard Training 9595
Configure Syslog Settings for QRadarConfigure Syslog Settings for QRadar
WatchGuard Training 9696
You can configure your Firebox or XTM device to send syslog log messages to your QRadar server for Integration with IBM’s SIEM system.
In Policy Manager, in the Logging Setup dialog box, configure the Syslog Server settings to specify your QRadar server and select IBM LEEF for the Log format.
Configure Syslog Settings for QRadarConfigure Syslog Settings for QRadar
WatchGuard Training 9797
In Fireware XTM Web UI, select System > Logging, and configure the Syslog Server settings to specify your QRadar server and select IBM LEEF for the Log Format.
Review Log Files for SSO ComponentsReview Log Files for SSO Components
When you use Telnet to enable logging for the SSO Agent, the SSO Agent, Event Log Monitor, and Exchange Monitor all send log messages to log files, which you can review for information about the events on each SSO component.• SSO Agent — wagsrvc.log
• Event Log Monitor — eventlogmonitor.log
• Exchange Monitor — exchangemonitor.log The log files are found in the installation directory for each SSO
component:• 64-bit servers — C:\Program Files(x86)\WatchGuard\WatchGuard
Authentication Gateway
• 32-bit servers — C:\Program Files\WatchGuard\WatchGuard Authentication Gateway
WatchGuard Training 9898
Authentication EnhancementsAuthentication Enhancements
WatchGuard Training 9999
User Lock Out for HotspotsUser Lock Out for Hotspots
When you configure the settings for the hotspot on your Firebox or XTM device, and select a Custom Page hotspot, you can specify the amount of time users cannot connect to the hotspot after their sessions expire.
In the User Locked Out setting, specify the amount of time in seconds, minutes, hours, or days that users are prohibited from reconnecting to the hotspot.
To allow users to always reconnect and never lock users out, specify a value of 0.
WatchGuard Training 100100
User Lock Out for HotspotsUser Lock Out for Hotspots
WatchGuard Training 101101
Authentication Server TimeoutAuthentication Server Timeout
When you use an Active Directory server or an LDAP server for authentication, you can specify the Timeout value to configure the amount of time the Firebox or XTM device waits for a response from the authentication server before it closes the connection and tries to connect again.
For PhoneFactor authentication, you can configure the timeout value in the authentication server settings to specify when out-of-bound PhoneFactor authentication occurs. The timeout value must be more than 10 seconds.
WatchGuard Training 102102
Authentication Server TimeoutAuthentication Server Timeout
WatchGuard Training 103103
Other EnhancementsOther Enhancements
WatchGuard Training 104104
Device Feedback EnhancementsDevice Feedback Enhancements
Device feedback now includes additional information:• The geographic distribution of Fireware XTM OS versions.
• Summarized information from each device about which features and services are used.
• Threats that are intercepted.
• Device health and performance. Feedback is now sent once every six days and when the device is
rebooted.
WatchGuard Training 105105
Bandwidth Statistics for Wireless InterfacesBandwidth Statistics for Wireless Interfaces
WatchGuard Training 106106
In Fireware XTM Web UI, on the Dashboard Interfaces page, Bandwidth tab, the Wireless Interfaces chart includes with the bytes sent and bytes received through the wireless interfaces on your Firebox or XTM device.
Static ARP EnhancementsStatic ARP Enhancements
You can now add static ARP entries for Bridge, VLAN, and Link Aggregation interfaces
You can now configure static ARP entries in the Web UI.
WatchGuard Training 107107
DHCP Option 50 SupportDHCP Option 50 Support
The DHCP server now responds to DHCP Option 50 requests (DHCP requested IP) from DHCP clients.
Because this is a DHCP client request option, there are no changes to the DHCP server option in the interface configuration.
WatchGuard Training 108108
OSPF ECMP RoutingOSPF ECMP Routing
The OSPF dynamic routing protocol now supports ECMP (Equal Cost Multi-Path) routing.• ECMP support is enabled by default. There are no new OSPF dynamic
routing commands required to enable it.
• The ECMP algorithm depends on the source and destination IP addresses of the traffic. You need at least two traffic flows with different source or destination IP addresses for ECMP load balancing to function.
WatchGuard Training 109109
Thank You!Thank You!
WatchGuard Training 110110